Updated February 8, 2017
By default, DPA 9.2 and later automatically generates a self-signed certificate that is used to establish secure communication over HTTPS. This article describes how to replace the self-signed certificate with a custom certificate using keytool, a Java application.
This is a custom configuration not officially supported by SolarWinds. The support team cannot help you configure your certificate.
Before you begin, you must contact your administrator to determine the certificates required for your environment.
If you have a Java KeyStore (JKS) file from your administrator, you can rename it to
.keystore and skip to step 2. SolarWinds recommends renaming the alias for the server certificate in the keystore file by running the following commands:
|List all certificates stored in keystore file|| |
Identify certificate for your DPA server and use its alias name as
Rename certificate alias
Default passwords are
If you do not have a JKS file from your administrator, follow these steps:
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore .keystore -storepass <KEYSTORE_PASSWORD> -keypass <CERTIFICATE_KEY_PASSWORD> -dname "CN=<HOST_NAME>,O=<ORGANISATION>,L=<LOCATION>,ST=<STATE>,C=<COUNTRY>"
dpa.yourdomain.com) or use a wildcard character (
keytool -certreq -keyalg RSA -alias tomcat -keystore .keystore -file <DPA_CERT_REQUEST_FILE> -storepass <KEYSTORE_PASSWORD>
keytool -import -alias <ALIAS> -keystore .keystore -trustcacerts -storepass <KEYSTORE_PASSWORD> -file <CERTIFICATE_CHAIN_FILE>
If you receive the following error message, ask your CA where to get these file.
keytool error: java.lang.Exception: Input not an X.509 certificate => chain certificate has to be in separate files
keytool -import -alias tomcat -keystore .keystore -storepass <KEYSTORE_PASSWORD> -file <DPA_SIGNED_CERT_FILE>
.keystorefile into the
changeit), edit the
server.xmlfile and add these attributes to the
If your browser warns about an insecure connection, show the certificate information in your browser.
The requested host name does not match the certificate of the server.
Ensure that the certificate
CommonName contains host name of the DPA server.
The keystore used for import must be the one that was used to generate the CSR.
Use the same keystore file (
.keystore) in all steps.